Dropbox, Google Drive, Box are ubiquitous but are they safe?

How many of us use these public file sharing services without considering the implication on the information we trust to them? They are, after all free, easy and provide some reassurance that our information is on the cloud in the event that something happens to our device.

The reality is they provide a basic level of security, their primary function is to provide back-up.   Basic security is also there when collaboration is provided – but it is still secondary to the main aim of easy sharing.

In this article in Legal Insider, Mike Batters, Technical Director, NETprotcol observes that Dropbox

“didn’t notice a group of machines systematically trying thousands of email/password combinations to gain access”.

Dropbox’s vulnerability is further highlighted:

“public file links are commonly used to deliver Ransomware, such as CryptoLocker, and other Malware to users. As users see Dropbox as a trusted brand, they are more inclined to click links in random e-mails assuming they are safe and genuinely believing Dropbox have somehow “checked” the files are safe.”

Mike concludes that public file links are:

“a very simple and highly effective piece of social engineering on the part of the attackers, which works time and time again and should really be driving network security administrators to block Dropbox outright in corporate networks”

Jane McCallion, writing in IT Pro  states:

“the truth is that, despite its reputation as a spreader of data insecurity within companies, Dropbox for Business can be equally as secure as other solutions, including rivals such as Box, Mozy, SugarSync, Acronis or even Amazon S3. Like them, it offers SSL/TLS encryption for data in transit, AES encryption for data at rest, as well as admin features like SSO, two-factor authentication (2FA), remote wiping and shared audit logs”.

She observes that:

“Any solution is only as secure as its weakest link, and at this point it is in the hands of the IT administrators to bring in both a user education programme and the appropriate processes to ensure what data is stored where is compliant with legislation”.

Related to this second point Jane uses two examples to highlight the issue for many international providers:

“if there is personally identifiable information or data that has to stay within the UK or EU then Dropbox would likely be unsuitable, as all its data centres are located in the US”.

Conclusion

There is overwhelming consensus from the cyber fraud community that the free to use versions of public file sharing services are vulnerable to cyber fraud and their use in a corporate environment should be avoided. Their paid for equivalents are more secure but maybe unsuitable if the location of information is critical.